A computer network (or, simply, a network) is two or more interconnected computing devices that provide voice and/or data processing. The term “network boundary” refers to a logical boundary between a network and the computing devices that are outside of the network. Various network access schemes exist to control access to a network boundary. One scheme for controlling network access involves the use of three network entities: an access requestor, a policy enforcement point, and a policy decision point.
An access requestor is an entity that seeks access to a network (e.g., to a protected network). The access requestor typically includes the software, hardware, and/or firmware necessary to negotiate a connection to the network. Almost any computing device capable of negotiating a connection to a network may be an access requestor including, for example, a personal computer or a server.
A policy enforcement point is an entity that enforces the access decisions of the policy decision point. The policy enforcement point may also engage in an authentication/authorization process with the access requestor and forward the results of the authentication/authorization process to the policy decision point. A policy enforcement point is typically implemented in, for example, a switch, a firewall, and/or a Virtual Private Network (VPN) gateway.
A policy decision point is a network entity that decides whether to grant network access rights to an access requestor based, for example, on an access policy. The policy decision point typically grants network access based on a network access policy. In conventional networks, the policy decision point is typically implemented in a server coupled with the policy enforcement point.
The conventional approach to controlling network access has a number of limitations. One limitation is that conventional networks are limited to statically defining the network access role of a computing device. This static designation of a network access role usually corresponds to a particular class of devices. For example, policy enforcement points are typically limited to being implemented in devices such as access points and switches. In addition, conventional approaches for controlling network access merely provide an implicit definition of the network boundary. The reason for this is that the topology of devices acting as policy enforcement points implicitly define the boundary of the network.